Fortinet black logo

External Systems Configuration Guide

Microsoft Windows Defender ATP

Microsoft Windows Defender Advanced Threat Protection (ATP)

Integration points

Protocol Information Discovered Used For
Windows Defender API REST API Security and Compliance

Configuring Windows Defender for FortiSIEM REST API Access

Microsoft provides ample documentation here.

Follow the steps specified in 'Enabling SIEM integration', repeated here.

  1. Login to Windows Defender Center.
  2. Go to Settings > SIEM.
  3. Select Enable SIEM integration.
  4. Choose Generic API.
  5. Click Save Details to File.
  6. Click Generate Tokens.

Configuring FortiSIEM for Windows Defender ATP REST API Access

Use the account in previous step to enable FortiSIEM access.

  1. Login to FortiSIEM.
  2. Go to ADMIN > Setup > Credential.
  3. Click New to create Windows Defender REST API credential:
    1. Choose Device Type = Microsoft Windows Defender ATP (Vendor = Microsoft, Model = Windows Defender ATP).
    2. Choose Access Protocol = Windows Defender ATP Alert REST API.
    3. Enter the Tenant ID for the credential created in Section 10.2.
    4. Password Config: for Manual, enter the Client ID and Client Secret for the credential created here. For CyberArk, see CyberArk Password Configuration.
    5. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers.
    6. Click Save.
  4. Enter an IP Range to Credential Association:
    1. Set Hostname to wdatp-alertexporter-us.windows.com.
    2. Select the Credential created in step 3 above.
    3. Click Save.
  5. Select the entry in step 4 and click Test Connectivity. If it succeeds, then the credential is correct.
  6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Windows Defender Center using the REST API.

To test for events received via Windows Defender ATP REST API:

  1. Go to ADMIN > Setup > Pull Events.
  2. Select the Windows Defender ATP entry and click Report.

The system will take you to the Analytics tab and run a query to display the events received from Windows Defender Center in the last 15 minutes. You can modify the time interval to get more events.

Microsoft Windows Defender Advanced Threat Protection (ATP)

Integration points

Protocol Information Discovered Used For
Windows Defender API REST API Security and Compliance

Configuring Windows Defender for FortiSIEM REST API Access

Microsoft provides ample documentation here.

Follow the steps specified in 'Enabling SIEM integration', repeated here.

  1. Login to Windows Defender Center.
  2. Go to Settings > SIEM.
  3. Select Enable SIEM integration.
  4. Choose Generic API.
  5. Click Save Details to File.
  6. Click Generate Tokens.

Configuring FortiSIEM for Windows Defender ATP REST API Access

Use the account in previous step to enable FortiSIEM access.

  1. Login to FortiSIEM.
  2. Go to ADMIN > Setup > Credential.
  3. Click New to create Windows Defender REST API credential:
    1. Choose Device Type = Microsoft Windows Defender ATP (Vendor = Microsoft, Model = Windows Defender ATP).
    2. Choose Access Protocol = Windows Defender ATP Alert REST API.
    3. Enter the Tenant ID for the credential created in Section 10.2.
    4. Password Config: for Manual, enter the Client ID and Client Secret for the credential created here. For CyberArk, see CyberArk Password Configuration.
    5. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers.
    6. Click Save.
  4. Enter an IP Range to Credential Association:
    1. Set Hostname to wdatp-alertexporter-us.windows.com.
    2. Select the Credential created in step 3 above.
    3. Click Save.
  5. Select the entry in step 4 and click Test Connectivity. If it succeeds, then the credential is correct.
  6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Windows Defender Center using the REST API.

To test for events received via Windows Defender ATP REST API:

  1. Go to ADMIN > Setup > Pull Events.
  2. Select the Windows Defender ATP entry and click Report.

The system will take you to the Analytics tab and run a query to display the events received from Windows Defender Center in the last 15 minutes. You can modify the time interval to get more events.